28 OCTOBER 2008
StrategyTalking about a revolution One of the most enduring threats to an organisation’s security can be found in its unwitting employees. David Lacey looks at the ways we can instill new attitudes and minimise the risk posed by the human factor
Last year, a small action by a junior HMRC employee triggered
a major crisis, prompting the resignation of its chief executive,
as well as a large drop in public confidence in government
custodianship. It astounded many that such a small, seemingly
innocent action could create so much outrage and impact.
That however, is the nature of modern organisations. The
source of power, influence and control has shifted from the
bridge to the engine room. Flattened, networked enterprises
with large, centralised databases place enormous power in the
hands of employees.
The root cause of the HMRC incident has been well
established by numerous reviews; at the heart of the problem
is information security culture, or, rather, a lack of it. As the
recent Cabinet Office report on the incident states, we need a
culture that properly values, protects and uses data, both in the
planning and delivery of public services. The problem is not
new, though there is now a greater urgency to fix it.
The information security industry has consistently
underestimated the role and importance of people. With
hindsight, we should have learned this lesson from the breaking
of the Enigma cipher transmissions during the Second World
War. That system was considered unbreakable, but was
compromised by human operating errors.
Since the introduction of commercial computers, our
business information systems and data have been repeatedly
Human factors are simply too vague and abstract for a technologist to get to grips with
Staff don’t read security policies and manuals; they don’t pay attention to lackluster flyers designed by security staff with no communications experience
is0507_p28_30.indd 28 09/10/2008 11:10:01
29OCTOBER 2008
undermined by design flaws, weak passwords, lost media, social
engineering and numerous other bad practices. And these
risks are growing with the increasing richness, complexity and
networking of modern business systems.
People are the soft underbelly of information security.
They design, implement and operate our information systems.
They use, misuse and abuse them. They manage the physical
and logical access to our systems and data. They also create
mistakes, incidents and the weaknesses that enable criminals to
steal, corrupt and manipulate our intellectual assets.
A new awakeningPeople are finally waking up to the importance of the human
factor in information security. The subject is gaining ground
in research and academic circles, but out in the field, at the
sharp end of our business, it’s a very different matter. Security
managers don’t pay enough attention to the human factor. We
complain about the problem. But we don’t invest sufficient time,
resource or money to fix it.
The question of what percentage of a security budget should
be allocated to education is often raised. The answer? Between
10 and 20%, which reflects both the minimum need for
education and the substantial return on investment that can be
achieved through a major reduction in security incidents.
There are very few companies that spend anywhere near that
amount, and most companies would not know where to start or
what to spend their money on. Human factors are simply too
vague and abstract for a technologist to get to grips with.
Staff don’t read security policies and manuals; they don’t
pay attention to lackluster flyers designed by security staff with
no communications experience. To date, security policies have
served primarily as a tick-the-box compliance measure, rather
than a vehicle for inspiring real behavior change.
The style of security education needed for today’s socially
networked world is quite different from that of yesterday’s
process driven world. We live and work in a Web 2.0 business
world, and that requires no less than the equivalent of a security
2.0 solution; security with a stronger focus on people and their
relationships.
A new kind of security The ISO 27001 standard was a major breakthrough in its day.
But it’s a vehicle conceived more than fifteen years ago. It
epitomises information security management for a process-
driven business world. And that world is slowly dissolving. It’s
time to work on a radical approach for a real-time generation
that operates in a nomadic, networked world.
New security is a paradigm shift from our traditional security
focus on processes and procedures. Risk management is no
longer the answer; it’s no more than a measuring stick.
The new focus needs to be on people, relationships and
information flows. As Debi Ashenden, a senior fellow at the
UK Defence College of Management & Technology, put it a
few years ago: “The future of information security is pink and
fluffy”. Security managers have to engage a lot more effectively
with management and staff in order to have any real impact on
their security behaviour. And it has to be a two-way emotional
communication, not a one-way broadcast of dogma.
A revolution in thinkingTo support this new kind of security, we need a brand new
knowledge base of theories, techniques and methods, ones
that are very different from the deterministic methods we’ve
employed for risk management, security architecture and
vulnerability management. We need softer, smarter skills to
educate and change people. And that includes the security
professionals themselves.
The starting point is to appreciate how people think and
how modern networks work. Social networks are dissolving
traditional approaches to security. They cut through corporate
boundaries, including those between our business and personal
lifestyles. Networks provide the lever for promoting our
ideas, policies and initiatives. They are the new engine of the
information age, no less than the equivalent of the invention
of factories in the industrial age. Networks can help us to
build the new community solutions that we need to manage
the challenges of the future. We know that the future will be
To date, our security policy has served primarily as a tick-the-box compliance measure, rather than a vehicle for inspiring real behavior change
STRATEGY
Between 10 and 20% of a security budget should be allocated to education
is0507_p28_30.indd 29 09/10/2008 11:10:04
30 OCTOBER 2008
a much more dangerous place than it is today. Knowledge
bases and information flows will be under greater threat from
sophisticated spies and fraudsters.
Meeting this challenge demands that we harness the
efforts of everyone in the corporation, including our customers
and business partners. We need their collective vision and
perception to understand the root causes of incidents and gain
visibility of events and their context.
We need better security and information systems that allow
a sensible margin of human error, to eliminate unnecessary
mistakes, accidents and breaches. But good security design can
only be achieved through closer engagement with our users. We
have to learn to appreciate their culture, requirements, likes,
dislikes and expectations. The difference between a design that
works and one that fails is often no more than a small detail or
two.
Realistic risk management And we need to improve the way we respond to risks, incidents
and crises, because we’re entering a world of increasing
hazards, uncertainty and volatility. That means coming to
terms with our human limitations for managing them. Risks
are a peculiar blend of logic and gut feeling, with the latter
dominating the former. In theory, risk management is simple.
But in practice, we’re all astoundingly bad at assessing and
managing risks. Our perception is shaped by our experience,
personal agenda and personal characteristics such as
personality, gender, age, culture and religion. Risks are more
emotional than scientific.
The current financial crisis also demonstrates very clearly
that even the most sophisticated risk management systems
cannot stop managers from gambling away the family silver.
Risk management is a decision-support tool, not a decision-
making process. It’s a vast oversimplification of reality. Its
limitations need to be acknowledged.
It’s important to accept that not everybody is honest. Many
people will cheat if they can avoid getting caught, especially if
everyone else seems to be doing it. But aiming to catch crooks
after the event is not the most sensible security strategy. It’s
much better to design systems that are intrinsically secure. We
can vet staff, monitor their actions, and reduce incentives
for corruption. But people will always be easily seduced and
fooled. Besides, our identity management systems are far from
watertight.
Changing security cultureGetting to grips with organisation culture is not easy, especially
if you’re a part of it. An outside need is required to penetrate,
expose and transform organisation culture.
Security culture can be built on either fear or inspiration.
Both fear and inspiration get things done, but a brutal approach
is, sadly, easier to sell and implement.
Navigating organisation culture means understanding
and compensating for the limitations and aspirations of our
management and staff, as well being alert to the politics of the
day.
Designing more effective security campaigns that match
security messages to real business and personal concerns,
based on memorable messages, should begin to resonate with
people.
But changing people’s attitudes and behavior is harder. The
starting point is to gain a deeper insight into how people think,
and an appreciation of the enablers and blockers that trigger or
prevent the security behavior we desire.
A better but more dangerous futureLooking ahead, it’s clear that, though we cannot predict the
future, we can anticipate many important emerging trends,
technologies and issues.
However pessimistic you might be, it’s worth noting that
the future will be a better place. Pay no attention to the current
fi nancial crisis. The fact is that, in the long term, we’ll all be healthier,
live longer, and most of us will be fi nancially richer. Our security focus
however, will be very diff erent from today.
Information flows and relationships will be the new source
of intellectual value in networks. Our protective measures will
need to evolve towards providing a dynamic wrapper of integrity
and trust around our business relationships and information
flows, rather than simply aiming to block inappropriate access
or content.
Security managers will also need to appreciate and to
master a much richer set of dimensions for information, and to
understand and influence how these dimensions might evolve
over time.
We’re entering an age of pervasive knowledge, coupled with
the ability to create weapons and incidents of mass effect.
These trends are inevitable and irreversible. They are the way of
the new information age.
It’s a fact that many people will cheat if they can avoid getting caught... but aiming to catch crooks after the event is not the most sensible security strategy
David Lacey’s book Managing the Human Factor in Information Security will
be published by John Wiley in January 2009.
STRATEGY
is0507_p28_30.indd 30 09/10/2008 11:10:06
Recommended